> Please refer to your OEM for the BIOS update specific to your product.

Unless running hardware also used by powerful hosting providers (some of which care for security), these mitigation will not reach many systems. Checked a few "client" samples, seems like MSI has provided updated binary blobs, ASRock has provided some, Gigabyte has provided broken ones first and then backdated the new ones, ASUS (ROG/RUF/CSM) and Biostar customers are still waiting.

So wait, is this fixed in BIOS or microcode?

https://git.kernel.org/pub/scm/linux/kernel/git/firmware/lin...

Based on my reading of https://www.amd.com/en/resources/product-security/bulletin/a... there's a microcode fix for EPYC generations 1-4 that requires no downtime, everything else needs a firmware update.